9.21.3 Discussion

Snort can act as a simple packet sniffer, providing a level of detail
between the terseness of tcpdump [Recipe 9.16] and the verbosity of
tethereal. [Recipe 9.17] The
-v option prints a summary of the protocol
information for each packet. To dump the payload data in hexadecimal
and ASCII, add the -d option (with the
-C option if you care only about the characters).
For more information about lower-level protocols, add
-e to print a summary of the link-level (Ethernet)
headers, or use -X instead of
-d to dump the protocol headers along with the
payload data:

If your system is connected to multiple networks, use the
-i option to select an interface for sniffing.
Alternately, you can read
libpcap-format trace files [Recipe 9.16] saved by Snort or some other compatible
network sniffer, by using the -r option.

Append a filter expression to the command line to
limit the data collected, using the same syntax as for
tcpdump. [Recipe 9.16] Filter
expressions can focus attention on specific machines (such as your
production web server), or efficiently ignore uninteresting traffic,
especially if it is causing false alarms. When Snort is displaying
data from network trace files, the filter expression selects packets
to be printed, a handy feature when playing back previously logged
data.

By default, Snort captures entire packets to examine their payloads.
If you are looking at only a few specific protocols, and you know
that the data of interest is at the start of the packets, use the
-P option to specify smaller snapshots and achieve
an efficiency gain.

9.21.4 See Also

snort(8), tcpdump(1), tethereal(1). The Snort home page is
http://www.snort.org.